SPECIFICATION 



TO ALL WHOM IT MAY CONCERN: 

BE IT KNOWN that we, ATSUSHI FUJIOKA, a subject of Japan and 
residing at Shinjiiku-ku, Tokyo, Japan, MASAYUKI ABE a subject of Japan 
and residing at Shinjuku-ku, Tokyo, Japan and FUMIAKI MIURA, a subject 
of Japan and residing at Shinjuku-ku, Tokyo, Japan have invented certain 
new and useful improvements in 

"ELECTRONIC VOTING METHOD AND SYSTEM AND 
RECORDING MEDIUM HAVING RECORDED THEREON 
- A PROGRAM FOR IMPLEMENTING-THE-METHOD" 

and we do hereby declare that the following is a full, clear and exact 
description of the same; reference being had to the accompanying drawings 
and the numerals of reference marked thereon, which form a part of this 
specification. 



-1 - 

ELECTRONIC VOTING METHOD AND SYSTEM AND 
RECORDING MEDIUM HAVING RECORDED THEREON 
A PROGRAM FOR IMPLEMENTING THE METHOD 

5 BACKGROUND OF THE INVENTION 

The present invention relates to an electronic voting system and 
method for implementing secure secret voting in elections, 
questionnaire surveys or the like which are conducted through a 
telecommunication system. The invention also pertains to a 
10 recording medium having recorded thereon a program for 
implementing the electronic voting method. 

What is intended to mean by the word "voting" herein is a 
procedure in which voters-each choose a predetermined number 
(one or more) of candidates from those offered to them and a 
15 counter counts the number of votes cast for each candidate. The 
candidates mentioned herein may be not only the names of 
candidates in elections but also items or headings of choice in 
statistic surveys. And the content of the vote is identification 
information representing the candidate chosen by the voter, such as 
20 a symbol, name, or heading. 

Since the secrete voting scheme provides security for the 
correspondence between the voters and the contents of their votes 
and lends itself to protecting the privacy of individuals for their 
thought and beUef, the scheme can be used, for instance, in 
25 teleconferencing and questionnaire surveys by CATV or similar two- 
way communication. 

To implement secure secret voting by telecommunication, it is 
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necessary to prevent the impersonation of voters, double voting and 
a leakage of the content of the vote by wiretapping its message or 
text. As a solution to these problems, there have been proposed 
electronic voting schemes using the digital signature technique, for 
5 example, in Atsushi Fujioka, Tatsuaki Okamoto and Kazuo Ohta, "A 
practical secret voting scheme for large scale elections," Advances in 
Cryptology-AUSCRYPT' 92, Lecture Notes in Computer Science 718, 
Springer-Verlag, Berlin, pp.244-251 (1993) and Japanese Patent 
Application Laid-Open No. 19943/94 (laid open November 28, 1994) 

10 entitled "Electronic Voting Method and Apparatus." 

In this conventional method, a voter Vi encrypts the content of 
his vote (hereinafter referred to as the vote content) Vj by a key kj 
into a ciphertext Xj, then randomizes it by a random number rj to 
create-a preprocessed text epf or- getting a blind signaturer then 

15 attaches his signature Si to the text ej, and sends the signed text to 
an election administrator A. The administrator A first verifies the 
validity of the voter on the basis of the signature Si, then attaches 
his blind signature di to the preprocessed text ei, and sends it back 
to the voter Vi. The voter Vi retrieves a signature yi of the election 

20 administrator A for the ciphertext Xi from the blind signature d, 
affixed to the preprocessed text ei, and sends the administrator's 
signature yi to a coimter C together with the ciphertext Xi. The 
counter C makes sure that the ciphertext bears the administrator's 
signature yi, and pubUshes the ciphertext Xj in its entirety. The 

25 voter Vi sends the coimter C the key ki used for the encryption of 
his vote content Vi when his ciphertext Xi is foimd registered, and if 
not registered, the voter Vi presents a protest against the counter C. 
The counter C uses his received key ki to decode or retrieve the vote 
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content Vi from the ciphertext Xj, and counts the number of votes 
cast for each candidate. 

With this method, however, it is necessary for the voter Vj to 
confirm the registration of his cipherteXt xj by checking a list of 
ballots that is pubUshed after completion of the voting of all voters 
and to send the key ki to the coimter C. Hence, the conventional 
system lacks usabihty from a voter's point of view. 

\^ The followings are pertinent references, but do not solbe the 
abov^tated problems: Japanese Patent AppUcation Laid Open Nos. 
10 6-22325b.(August. 12, 1994), 6-176228 (June 24, 1994), 7-28915 
(Jan. 31, 199^10-74182 (March 17, 1998), 10-283420 (Oct. 23, 
1998), 1-177 16Wuly 13, 1989), and 10-74046 (March 17, 1998). 
D. Chaum, "ElectionsWth Unconditionally-Secret Ballots and 
Disruption Equivalent t^^eaking RSA", in Advances in Cryptqlogy, 
15 EUROCRYPT '88, Lecture No^in Computer Science 330, Springer- 
Verlag, Berlin, pp. 177-182 (19^, L. F. Cranor et aL, "Design and 
Implementation of a Practical Secim^-Conscious Electronic Polling 
System", WUCS-96-02, Department of Cbmputer Science, Washington 
University, St. Louis (Jan., 1996), M. A. Hersl^erg, "Secure 
20 Electronic Voting Over the World Wide Web", Meters Thesis in 

Electrical Engineering and Computer Science, Massabtmsetts Institute 
of Technology (1997). \. 

SUMMARY OF THE INVENTION 
25 It is therefore an object of the present invention to provide a 

simple and convenient electronic voting system and method which 
ensure voter privacy in making a complaint about a possible fraud 
by the administrator, have robustness against system dysfunction 
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and obviate t±Le necessity for voters to send their encryption keys to 
the counter after voting. 

Another object of the present invention is to provide a 
recording medium on which there is recorded a program for 
5 implementing the above electronic voting method. 

In the present invention, each voter encrypts his vote content 
by a pubhc key of the counter, then randomizes the encrypted vote 
content by a random number to create a preprocessed text, then 
attaches thereto his signature, and sends the signed text to the 

10 election administrator. The election administrator verifies the 

validity of the voter through utilization of his signature attached to 
the encrj^ted text, then attaches a blind signature to the 
preprocessed text, and sends back the signed preprocessed text to 
the voter. The voter excludes the influence of the random number 

15 from the blind signature attached to the preprocessed text to obtain 
administrator's signature information about the encrypted vote 
content, and sends the signature information as vote data to the 
counter together with the encrypted vote content. The counter 
pubUshes the vote data after making sure that the signature 

20 information on the encrypted vote content received from the voter 
bears the administrator's signature. After every voter confirms the 
registration of his encrypted vote content in the pubUshed list of 
vote data, the coimter decrypts the encrypted vote content by a 
secret key of his own and counts the nimiber of votes cast for each 

25 candidate. If his encrypted vote content is not registered in the list 
of vote content, the voter complains about it to the counter. It is 
also possible to provide a system configuration wherein a plurality 
of counters each hold part of a decryption key and all or a certain 



number of them collaborate to decrypt all the encrypted vote 
contents. 

According to the present invention, the randomization of the 
vote content with the random number gives no chance for either of 
the election administrator and the counter to view the vote content, 
and hence it guarantees the secrecy of voting. 

^TTie~d^ei^^JiQnof key is in the possession of the counter, and 
the voter needs not to cormmnltcats-:^^ counter again for vote 
counting. 

With the system configuration wherein the plurahty of counters 
work together to decrypt the encrypted vote content, the validity of 
the voter can be proved simply by sending the encrypted vote and 
the administrator's signature. That is, even if one or more of the 
coimters comrnit fraud, the vote content ^^^^^ not be revealed unless 
all the coimters or a certain number of them conspire. 

Furthermore, since encrypted vote contents are sent to each of 
the distributed coimters, the intermediate results of the vote count 
will not be revealed, either, without a conspiracy by all or a certain 
number of counters— this provides increased fairness in the voting 
system. 

Besides, in the system wherein the encrypted vote contents can 
by decrypted by only a certain number of counters, even if some of 
the counters are dishonest or impossible to collaborate in decryption, 
it is possible to decrypt the vote contents; hence, the system is 
highly fault tolerant. 

BRIEF DESCRIPTION OF THE DRAWINGS 

Fig. 1 is a block diagram illustrating the general configuration of 



a voting system according to a first embodiment of the present 
invention; 

Fig. 2 A is a table depicting a list of eligible voters; 
Fig. 2B is a table depicting a list of voters given the right to vote; 
Fig. 2C is a table depicting a Ust of ballots as received; 
Fig. 2D is a table depicting a list of ballots as counted; 
Fig. 2E is a table depicting a list of votes polled for each 
candidate; 

Fig. 3 is a block diagram showing an example of the functional 
configuration of a voter apparatus 100; 

Fig. 4 is a block diagram showing an example of the functional 
configuration of an election-administrator apparatus 200; 

Fig. 5 is a block diagram showing an example of the functional 
configuration of a coimter apparatus 300; _ 

Fig. 6 is a diagram depicting a voting procedure; 

Fig. 7 is a block diagram illustrating the general configuration of 
a voting system according to a second embodiment of the present 
invention; 

Fig. 8 A is a block diagram depicting an example of the 
functional configuration of a distributed counter apparatus 3 00 1 in 
Fig. 7; 

Fig. 8B is a block diagram depicting an example of the functional 
configuration of each of distributed coimter apparatuses 3OO2 
through 300u in Fig, 7; 

Fig. 9 is a block diagram illustrating the general configuration of 
a voting system according to a third embodiment of the present 
invention; 

Fig. lOA is a block diagram depicting an example of the 
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functional configuration of each of distributed counter apparatuses 
300i through SOOu.i in Fig, 9; and 

Fig, 1 OB is a block diagram depicting an example of the 
functional configuration of a distributed counter apparatus 300^ in 
5 Fig. 9. 

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS 

While the present invention will hereinafter be described as 
being applied to the voting in elections, the principles of the 
10 invention can also be applied intact to the voting in statistic surveys 
as referred to previously^ 

EMBODIMENT 1 

_ Fig. 1 schematically illustrates the general configuration of the 

15 voting system according to the present invention. Apparatuses 100 
of T voters Vj (where i=l,...,T) (which apparatuses 100 will 
hereinafter be referred to as voter apparatuses) are each connected 
to an apparatus 200 of an election administrator A (which apparatus 
200 will hereinafter be referred to as an administrator apparatus) 
20 and a apparatus 300 of a counter C (which apparatus 300 will 
hereinafter be referred to as a coimter apparatus) via 
nonanonymous and anonymous communication channels 400 and 
500, respectively. When sending information to the administrator A 
via the nonanonymous communication channel 400, the voter Vj 
25 adds the information with sender information indicating who the 

sender is, for example, his name Vj or identification information ID^. 
In the case of sending information to the coimter C via the 
anonymous communication channel 500, the voter adds no sender 
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information. The counter C publishes a Hst of vote contents (a hst of 
votes and a hst of the number of votes polled for each candidate), 
which is accessible from all the voters. Fig. 3 depicts an example of 
configuration of the voter apparatus 100 in the voting system of Fig. 
5 1, Fig. 4 an example of the configuration of the administrator 

apparatus 200, Fig. 5 an example of the configuration of the counter 
apparatus 300, and Fig. 6 an example of a commimication sequence 
in the voting system of the present invention. Fig. 2A exemplifies a 
list of eligible voters (hereinafter referred to as an eligible- voter 
10 list) 240A, Fig. 2B a list of voters authorized to vote (hereinafter 

referred to as an authorized-voter list) 240B, Fig. 2C a list of ballots 
as received by the counter C but not yet coimted (which list will 
hereinafter be referred to as a ballot list) 320A, Fig. 2D a list of 
ballots counted (hereinafter referred to as a counted-ballot list) 
15 320B, and Fig. 2E a list of the numbers of votes polled for individual 
candidates (hereinafter referred to as a poll Hst) 3 2 OB. 

A description will be given of the voting procedure that the 
voter Vi carries out between he and the coimter C after being 
authorized by the administrator A to vote. 
20 The following is a list of notations that are used in describing 

the invention below. 

X = ^c(v, kpc): encryption function of the counter C (x: ciphertext, 
v: vote content, kpci public key of the counter) 

V = pc(x, ksc): decryption function of the counter C (ksc- secret 
25 key of the counter) 

s == Oi(e): signature generating function of the voter Vi (s: 
signature, e: encrypted vote content) 

e = ^i(s): verification function for the signature of the voter Vj 



d = a^Ce): a blind signature generating function of the 
administrator A (d: blind signature) 

z = CA(y)- verification function for the signature of the 
administrator A (y: signature, z: ballot) 

e = coyi^(z, r): randomizing fimction (r: random number) 
y = 6^(d, r): derandomizing function (d: blind signature) 
The encryption function and decryption function pc of the 
coimter C are used in known public key cryptosystems* Now, let it 
be assumed that the counter C keeps the secret key k^c in secrecy 
and publishes the public key kpc to the voters. The randomizing 
function to^Cz, r) for the voter Vi to blind the message m by the 
random number r (to preprocess the ballot for the attachment 
thereto of the administrator's blind signature) prior to requesting it 
and the derandomizing function 8^ (d, r) for removing the random 
component r from the received blind signature d to extract the 
signature y of the administrator A attached to the ballot are 

inevitably determined once the blind signature function of the 
administrator A is determined. Such signature functions are, for 
example, an encrj^ption function and a decryption function of the 
RSA cryptosystem (Ronald Rivest, Adi Shamir and Leonard Adleman, 
"A method for obtaining digital signatures and public-ky 
cryptosystems," Communications of the ACM, Vol. 21, No. 2, pp. 120- 
126 (Feb., 1978)), and the scheme for randomization with a random 
number as preprocessing for requesting the blind signature is 
described in detail in David Chaum, "Security without identification: 
Transaction systems to make big brother obsolete," Commimications 
of the ACM, Vol, 28, No, 10, pp.1030-1044 (Oct., 1985). 

Turning next to Fig. 3, the configuration of the voter apparatus 
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100 will be described. In a storage part 121 there is prestored 
identification information IDj of voters and their names Vj. Of the 
data that is generated in the apparatus 100, data to be used 
afterward is also stored in the storage part 121. An encryptor 110 
5 encrypts the vote content Vj (the candidate name CND^ ^ case) 
chosen by the voter Vj using the public key kpc of the coimter C to 
obtain the ciphertext Xj = ic(Vi, kpc). A tag generator 111 generates 
a random number ti, which is revealed only to the voter Vj and is 
used as a tag in such a manner as described below. A concatenator 
10 112 concatenates the ciphertext Xj with the tag tj and outputs z, = Xj 
S ] II tj. The output Zj will hereinafter be referred to as a ballot. A 

; " random generator 120 generates a random number rj. A 

randomizer 130 randomizes the ballot Zj by the random nimiber rj 

'•.1 xf 

based on the randomizing function e} = (OA(?i> ^i) to generate a 
y- 15 preprocessed text e,. A signature generator 140 generates a 
j;i signature Sj = ajCej, IDj) that is attached to the preprocessed text ei to 

j 5 indicate its origin Vj. Data <ei, Sj, IDj > is sent to the administrator 

apparatus 200 via the commimication channel 400. The voter 
apparatus 100 is held connected to the administrator apparatus 200 
20 via the commimication channel 400 until the former receives a blind 
signature dj from the latter. 

A derandomizer 150 removes the random component from the 
blind signature dj received via a transmitting-receiving part 190 
from the administrator apparatus 200 by the random nimiber rj 
25 based on derandomizing function yj = 6A(di, rj), thereby obtaining yj 
as the signature of the administrator A for the ballot z,. A signature 
verification part 160 verifies the validity of the signature yj by 
making a check to see if a verification function zj = CA(yi) holds. 
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Data <Zi, yi>is sent as vote data via a transmitting-receiving part 180 
to the coimter apparatus 300. A list checking part 170 checks the 
ballot list 3 2 OA received via the transmitting-receiving part 180 
from the coimter apparatus 300 in response to an access thereto 
5 from the voter apparatus 100. 

The administrator apparatus 200 depicted in Fig. 4 comprises: a 
storage part 240 for recording therein the eligible-voter Ust 2 40 A 
(Fig, 2A) with the identification information IDj of eligible voters 
prestored and the authorized-voter list 240B (Fig. 2B) for storing the 

10 identification information IDj of voters authorized to vote; a voter 
checking part 210 for making a check to see if the identification 
information IDj received from the voter is placed on the eligible- 
voter list; a signature verification part 220 for verifying the validity 
of the voter's signature Sj attached to the preprocessed text ei 

15 received from the voter by making a check to see if a verification 
function ei = ^i(Si) holds; a voter list generating part 260 for 
generating the authorized-voter list 240B (Fig. 2B) by writing data 
on authorized voters in a predetermined area of the storage part 
240; a transmitting-receiving part 250 for data exchange with each 

20 voter apparatus 100 1; and a signature generator 230 for generating a 
blind signature di ^o/^iei) to be attached to the preprocessed text ei. 

As shown in Fig. 5, the coimter apparatus 300 comprises: a 
signature verification part 310 for verifying the validity of the 
signature yj of the administrator A by making a check to see if Zj = 

25 ^A(yi) holds for the ballot Zj and the administrator signature yj in 
the vote data <Zi, yi> received via a receiving part 360 from the 
voter apparatus 100, through the use of a verification function ' 
^aCYi); ^ storage part 320 which gives a serial mmiber qj to the vote 
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data <Zi, yi>and places and stores it on the list of ballots (hereinafter 
referred to as a ballot Hst) 230A (Fig. 2C); a separation part 350 for 
separating the ciphertext Xj from the ballot Zj = Xj II tji a decryptor 
330 for decrypting the ciphertext Xj by the counter's secret key k^c 
5 based on the decrj/ption function pc to obtain Vi = pc(Xi, kgc) as the 
vote content; and a counter 340 for counting the vote content Vi. 
Further, the vote data corresponding to the serial number q of the 
ballot Ust 3 2 OA held in the storage part 320 is added with the 
decrypted vote content Vj as depicted in Fig. 2D. The results of the 

10 vote coimt, that is, the numbers of votes polled for each candidate 

(CNDh, where h = 1, 2, ...), are stored as the poll list 320B of Fig. 2E in 
the storage part 320. The contents of the ballot hst 320A and the 
counted-ballot list 3 2 OB are sent via a transmitting-receiving part 
380 to the voter apparatus 100 that has accessed the cqimter 

15 apparatus 300. 

Turning next to Fig. 6, the voting procedtu-e in the first 
embodiment will be described. 

Step 1: The voter Vj makes preparations for voting by the voter 
apparatus 100 (Fig. 3) as described below. 
20 Step 1-1: The voter Vj encrypts the vote content Vj by the 

encryptor 110 using the pubUc key kpc of the counter C and the 
encryption function §c to generate the ciphertext 
Xi =lc(Vi,kpc). 

Then, the voter Vj generates the tag tj by the tag generator 111 and 
25 concatenates it with the ciphertext X; by the concatenator 112 to 
obtain the ballot 

Zj =Xi II tj. 

The tag t, is, for instance, a random number and only the voter Vj 
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knows that it is his own tag. 

Step 1-2: The voter Vi generates the random number rj by the 
random generator 120, and randomizes the ballot Zj by the 
randomizer 130 using the random number to create the 
5 preprocessed text 

ej = a)A(Zi, ri). 

Step 1-3: The voter V, generates, by the signature generator 
140, the signature Si for the preprocessed text ei and the 
identification information IDj: 
10 Si =ai(ei,IDi). 

After this, the voter sends the data <ei, Si, IDi>to the 
administrator apparatus 200. 

Step 2: The administrator apparatus 200 (Fig. 4) has prestored 

therem the_relationship between Jiie registered e^gible^^^^ 

15 names Vj and their identification information IDj as the eligible- 
voter list 240A (Fig. 2A), and has the authorized-voter list 240B (Fig. 
2B) in which the names Vj or identification information IDi of the 
voters authorized to vote are written by the voter list generating 
part 260. Since the authorized-voter list is pubUshed after the 
20 voting of all voters, the names Vi or identification information IDi of 
the authorized voters are recorded, depending on whether they 
agree or disagree to reveal their names to tlie public. This is 
predetermined prior to the start of the actual voting. The following 
description will be given on the assimiption that the identification 
25 information IDj of the voters Vj is written in the authorized-voter 
list 240 B (Fig. 2B). At the start of the voting procedure there is 
nothing recorded in the voter list. The administrator A performs by 
his apparatus 200 the following procedure to give the eUgible voters 
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the right to vote. 

Step 2-1: The administrator A makes sure that the voter is 
eligible, by making a check in the voter checking part 210 to see if 
his identification information IDj is contained in the eligible-voter 
5 list 240A (Fig. 2A). If not, the administrator A rejects the 
authorization of the voter Vj. 

Step 2-2: The administrator A ascertains whether the voter Vj 
has been authorized to vote, by making a check in the voter 
checking part 210 to see if his identification information IDj has 
10 already been written in the authorized-voter list 240B (Fig. 2B). If 
the identification information IDj is found iri the authorized-voter 
list 240B, the administrator A regards the voting by the voter Vj as 
double voting and rejects the authorization. 

Step 2-3.: If .theidentification_iMoimation IDj is not found in^e 

15 authorized-voter Ust 240B, then the administrator A makes a check 
to determine in the signature verification part 220 whether Si, ej 
and IDi satisfy the following equation: 
(ei,IDi) =Ci(Si). 

If so, the administrator A provides e, to the signature generator 230 
20 to calculate the signature di: 
di =OA(ei). 

Then the administrator A sends the signatiure dj via the transmitting- 
receiving part 250 to the voter apparatus 100 and, at the same time, 
adds the identification information IDj of the voter Vj by the voter list 
25 generating part 260 to the authorized-voter list 240B (Fig. 2B) in the 

storage part 240. 

Step 2-4: After all voters vote, the administrator A publishes the 
authorized-voter Hst 240B and the number of voters who actually 
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voted. For this publication, the administrator A preinforms all the 
eligible voters that they are allowed to access the authorized-voter 
list 240B in the storage part 240 of the administrator apparatus 200 
via an arbitrary commimication channel within a certain period 
5 beginning on a predetermined date and time. The access to the 
authorized-voter Ust 240B can be made, for example, using a 
predetermined telephone number. The list 240B may also be 
published at a predetermined address on the Internet. 
Step 3: The voter Vj generates the ballot and its signature information 
10 by the voter apparatus 100 (Fig. 1) as described below. 

Step 3-1: The voter Vj inputs di and r-^ into the derandomizer 150 
to obtain the following signature information yj on the ballot z^: 

Yi =6A{di,ri). 

Step 3-2: The voter Vj makes sure that yj is the signature of the 
15 administrator A, by making a check in the signature verification part 
160 to see if the following equation holds: 

Zi = ^A(yi)- 

If not, the voter points out fraud by the administrator A, 
presenting the data <ei, di>. 

20 Step 3-3: If it is verified that the signature is valid, the voter 

sends data <Zi, yi>via the transmitting part 180 to the counter 
apparatus 300 over the anonymous commimication channel 500. 
Step 4: The coimter C collects ballots by the coxmter apparatus 300 
(Fig. 5) as described below. 

25 Step 4-1: The counter C receives the vote data <Zi, yi>from the 

voter via the receiving part 360, and makes sure that yj is a valid 
signature on the baUot zj, by making a check in the signature 
verification part 3 10 to see if the following equation holds: 
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Zi =U(yi)- 

If tlie equation holds, the counter C gives the ballot zj and its 
signature yj a serial number common q thereto and places them as 
vote data <q, Zj, yj) on the ballot list 230A (Fig. 2C) by a vote list 
5 generating part 370. 

Step 4-2: After all voters vote, the counter C publishes the ballot 
hst 320A by allowing an access to the storage part 320 via the 
transmitting-receiving part 380. This list is supposed to be accessible 
from all the voters. As is the case with the authorized-voter list 240B, 
10 the counter C preannounces the period and place for publishing the 
ballot hst 3 20A. 

Step 5: The voter conducts the following verification by the voter 
apparatus 100. 

Step 5-1: -The voter Vi accesses. the storage. part 320 of the 

15 coxmter apparatus 300 via the transmitting-receiving part 180, then 
receives the contents of the ballot list 320A, and makes a check in the 
list checking part 170 to see if the nimiber of ballots placed on the 
ballot hst 3 2 OA is equal to the nimiber of voters published in step 2- 
4. If not, the voter Vj pubUshes the serial number q and the random 
20 nimiber rj to point out fraud by the administrator A. 

Step 5-2: The voter Vj makes a check in the Ust checking part 
170 to see if his ballot Zj is contained in the ballot list 320A. This can 
be done by verifying whether the ballot Zj itself is contained in the 
list 320A, or whether the tag tj in Zj = II tj is his tag. If the ballot Zj 
25 is not found on the hst 600, then the voter Vi points out fraud of the 
coimter C, presenting the vote data <Zi, yi>. 

Step 6: The coimter C performs the following vote coimting by the 
counter apparatus 300. 
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Step 6-1: When no allegation of fraud is received via the 
receiving part 360 from the voter Vj within a predetermined period 
of time after the reception of his ballot Zj and signature y,, the counter 
C separates the ciphertext Xj from the ballot Zi = Xi II yj in the 
5 separation part 350, and decrypts it by the decryptor 330 using the 
secret key ksc to detect the vote content Vj: 
Vi = pc(Xi, ksc). 

Then the coimter C verifies whether the vote content Vj is valid or not, 
that is, whether it correctly represents the name or symbol of any one 
10 of the candidates offered in advance. If not so, the vote is regarded as 
invalid. 

Step 6-2: The counter C coimts the vote contents Vj in the ballot 
list 320A of Fig. 2C by means of the coimter 340 to obtain the nximber 
of votes_ polled for each candidate, then pubhshes the results of the_ 

15 vote coimt as the poll Ust 320B of Fig. 2E and, at the same time, adds 
Vj to a q-th piece of data <Xi, tj, yj) as depicted in Fig. 2D. The results 
of the vote coimt are published together with the ballot list 3 2 OA. 
Step 7: The voter Vj verifies the vaUdity of the manipulation or 
management of the coimter C by means of the voter apparatus 100. 

20 That is, the voter Vj checks whether all vote contents vj have been 

contained in the ballot list 3 2 OA of Fig. 2C, and whether the ciphertext 
Xi and the vote content Vi of the voter correspond to each other. 

Incidentally, Step 5 may be omitted, and the publication of the 
poU list 320B in Step 6-2 and Step 7 may also be omitted. 

25 In this embodiment, since the voter Vi encr5/pts the vote content 

Vi into Xj = ^c(Vi, kpc) by the encryption function ^,c of the coimter C 
and sends him the vote data <Zi, yi>, the counter C could view the vote 
content Vi by decrypting the ciphertext Xj in the ballot Zj with the 
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deciyption function v, = pc(Xi, ksc) through the use of the secret key 
kpc of the counter C even before the publication of the ballot list 3 2 OA 
in step S4-2. In other words, the counter C is in a position to get 
information such as the trend of voting or intermediate results of the 
5 vote count prior to the publication of the ballot list 320B and hence 
leak the information to a particular person prior to the publication of 
the official results of the vote count— this is undesirable in terms of 
the fairness of elections. Besides, according to the first embodiment of 
the invention, if the counter apparatus 300 suffers a breakdown, the 
P 10 vote count cannot be completed on schedule in some cases. A 
■'i description will be given below of another embodiment of the present 

invention which is intended to obviate these problems by the 
. = participation of plural distributed coimters in the decryption and vote 

' °* counting processes. _ _ . . 

15 The distributed coimters use the same crypto-f unctions (the 

}:3 encryption function decryption function pc) as in the 

O public-key cryptosystem. However, the decryption process involves 

the use of a distributed secret key kscj of every distributed coimter, 
or requires a certain ntunber (a threshold value (where 2 <Ut <U) 
20 of people to work together. The crypto-functions mentioned above 
are encryption and decryption functions of, for instance, the ElGamal 
cryptosystem (Taiier ElGamal, "A public key cryptosystem and a 
signature scheme based on discrete logarithms," IEEE Transactions on 
Information Theory, Vol. IT-31, No. 4, pp.469-472 (July, 1985)). The 
25 scheme of decryption by the distributed counters using such crypto- 
functions and the scheme using the threshold value are described in 
detail in Yvo Desmedt and Yale Frankel, "Threshold cryptosystems," in 
Advances in Cryptology-CRYPTO'89, Lecture Notes in Computer 
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Science 435, Springer-Verlag, Berlin, pp.307-315 (1990). 

EMBODIMENT 2 

Fig. 7 schematically illustrates the general configuration of a 
5 voting system according to a second embodiment of the present 

invention. This embodiment is identical with the first embodiment in 
that every voter apparatus 100 is connected to the administrator 
apparatus 200 through the commtmication channel 400 and to one 
coimter apparatus through the anonymous commimication channel 

10 500, but structurally differs in that a plurality of coxmter apparatuses 
(hereinafter referred to as distributed coimter apparatuses) 300j 
(where j = 1, U). The distributed coimter apparatus 300i decrypts 
ciphertexts from all voters to generate Xn and sends it to the next 
distributed coimter 3OO2; similarly, a j-th distributed coimter 

15 apparatus 300j decrypts decrypted data Xij.i received from the 
immediately preceding distributed counter apparatus 300j.i to 
generate decrypted data x^ and sends it to the next distributed 
counter apparatus 300j+i. The vote content v^ is obtained for the first 
time with the decryption process by the last distributed counter 

20 apparatus 300u. As is the case with the first embodiment, the 

identification information IDi of the voter is attached to the data 
that is sent from the voter apparatus lOOi to the administrator 200 
via the communication channel, but no identification information IDj 
accompany the data that is sent to the distributed counter apparatus 

25 300i via the anonymous communication channel 500. 

This embodiment is identical with the first embodiment in the 
communication sequence, the configuration of each voter apparatus 
100 and the configuration of the administrator apparatus 200 except 
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that the counter apparatus 300 is substituted with a plurality of 
distributed counter apparatuses. Furthermore, this embodiment is 
common to the first embodiment in that each voter encrypts the vote 
content Vj by Xj = C(vi, kpc) through the use of the common public key 
5 kpc- The counters Q to Qj each have one of U partial secret keys ksci, 
ksc2. kscu into which the secret key ksc is spUt, and perform the 
decryption process using them, respectively, but no distributed 
coimter apparatus 300j can decrypt the vote content vj from the 
ciphertext Xj on a stand-alone basis. In the case of employing the 
^ 3 10 aforementioned ElGamal cryptosystem, the partial secret keys ksci, 
= s kg^2, .... kscu can be set such that the sum total of their values equals 

II the value of the secret key kgc corresponding to the public key kpc- 

IE This is described in the aforementioned Desmedt-Frankel literature. 

Fig. S A depicts the configuration of the first distributed 
15 apparatus 300i that collects ballots from the voter apparatuses lOOi 
j j to IOOt- The distributed counter apparatus 300i comprises a 

: 3 signature verification part 3 10, a storage part 320, a coimter 340, an 

separation part 340, a partial decryption part 33 1, a receiving part 
360, a vote Ust generating part 370, and a transmitting-receiving part 
20 380. The first distributed counter apparatus 300 1 differs from the 
counter apparatus 300 in the first embodiment of Fig. 5 in the point 
described below. First, the partial decryption part 331 generates 
decrypted intermediate data by performing a description process 
Xii = pci(Xi' ^sci) on the ciphertext Xi through the use of the partial 
25 secret key kgci, the decrypted intermediate data xq being sent to the 
next distributed coimter apparatus 3OO2. Second, the coimter 340 
receives the decrypted vote content Vj from the last distributed 
counter apparatus 300u and counts the votes. The second through 
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U-th distributed counter apparatuses 3OO2 to 300u are common in 
that they have only a partial decryption part 331 as shown in Fig. 8B, 
in which the j-th distributed coimter apparatus (where 2 ^ j ^ U) is 
exemplified. The j-th distributed counter apparatus 300j performs a 
5 decryption process Pcj(Xij-i, ksg) of decrypted intermediate data Xij.i 
from the preceding-stage distributed coimter apparatus 300j.i to 
generate decrypted intermediate data Xy and sends it to the next- 
stage distributed counter apparatus 300j+i. The distributed coimter 
apparatus 300u of the last stage obtains the ultimate decrypted result 
10 Xju as the vote content Xi = Xiu by a decryption process Xju = pcu(Xiu-i» 
kscu). and sends the vote content vj to the first distributed counter 
apparatus 300i. 

A description will be given of the voting procedure in the second 
embodiment. This embodiment is common to the first embodiment in 

15 the procedure from Steps 1 through 5. However, it is the first 

distributed counter apparatus 300i that receives the vote data <Zi, yi> 
from each voter apparatus lOOj. The second embodiment modifies 
Steps 6 and 7 in the first embodiment as described below, and U 
represents the number of distributed counter apparatuses. 

20 Step 6: The distributed counter q (where j = 1, U) performs the 
vote counting process by the distributed counter apparatus 300j as 

described below. 

Step 6-1: The first distributed counter apparatus 300i separates 
Zi = Xi II ti in the vote data <Zi, yi>from each voter apparatus lOOj 
25 (where i = 1, T) by the separation part 350 into the ciphertext Xj 
and the tag yj, and performs the following decryption process in the 
partial decryption part 330 using the partial secret key kgci to obtain 
the decrypted intermediate data Xjii 
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Xii = pci(Xi, ksci)- 
Then the distributed coimter apparatus 300i sends the decrypted 

intermediate data Xn to the second distributed counter apparatus 
3002. 

5 Thereafter, the j-th distributed counter apparatus BOOj similarly 

performs the following decryption process of decrypted intermediate 
data Xij.i from the (j-l)th distributed counter apparatus BOOj.i in the 
partial decryption part 330 using the partial secret key kscy 

Xij = Psj(xi, kscj-i), 
10 and sends the data Xji to the next (j+l)th distributed coimter 

apparatus 300j+i. 

The last U-th distributed coxmter apparatus 300u obtains the 
vote content Vj by performing the following description process of 

decrypted intermediate data xiu-i from the (U-l)th distributed 

15 counter apparatus 300u-i in the partial decryption part 330 using the 
partial secret key kgcu- 

Vi =Xiu = Pcu(Xi. l^scu)' 
The U-th distributed coimter apparatus 300U makes a check to see if 

the thus obtained vote content Vi is valid. 
20 Step 6-2: The U-th distributed coimter Qj counts the vote 

contents Vi by the counter 340, then publishes the results of the vote 
count and, at the same time, adds the vote contents Vi to the poll list 
320B. 

Step 7: The voter Vj verifies the validity of the manipulation or 
25 management of the U-th distributed coimter apparatus 300^ C by 
means of the voter apparatus lOOj. 

As described above, according to the second embodiment, the 
plurality of distributed counter apparatuses 300i to 300u sequentially 
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perform t±Le decryption process and tlie distributed counter apparatus 
300u ultimately obtains the vote content v^; hence, no distributed 
counter is allowed to view the vote content Vj singly prior to the vote 
counting. 

5 

THIRD EMBODIMENT 

Fig. 9 illustrates the general configuration of a voting system 
according to a third embodiment of the present invention. In this 
embodiment each voter apparatus lOOi (where i == 1, T) is made 

10 connectable to all the distributed coimter apparatuses 300i to 300u 
through the commimication channels 500, and sends its generated 
vote data <Zi, yi>to all of the distributed coimter apparatuses 300i to 
300u. The configurations of each voter apparatus lOOi and the 
administrator apparatus 200 are the same as in the first and second 

1 5 embodiments. 

The first to (U-l)th distributed coimter apparatuses 300^ to 
300u-i are all identical in configuration. Fig. lOA depicts the 
configuration of the j-th distributed counter apparatus 300j, which 
comprises: a signature verification part 310 for verifying the validity 

20 of the signature yi for the baUot Zi in the vote data <Zi, yi> received 
from each voter apparatus 300i; a separation part 350 for separating 
the ciphertext Xj from the ballot Zj; and a partial decryption part 331 
for performing the description process = pcj(Xi, ksq) of the 
ciphertext x^ by the partial secret key k^g to obtain the decrypted 

25 intermediate data Xjj, which is sent to a predetermined one of the 

distributed counter apparatuses, in this example, 300^. As depicted 
in Fig. lOB, the distributed counter apparatus 300U additionally 
comprises, in the configuration of Fig. lOA, a storage part 320, a total 



-24- 

decryption part 332, a counter 340, a vote list generating part 370 
which gives a serial number q to each of the vote data <Zi, yi> received 
from all of the distributed counter apparatuses 300i, 300u and 
writes it in the ballot Ust 3 2 OA, and a transmitting-receiving part 380 
5 which allows the voter apparatuses to access the ballot list 3 2 OA and 
the poll list 3 2 OB. In the storage part 320 there are made up a ballot 
vote list 3 20 A on which to place vote data received from the other 
distributed coimters 3 00 1 to 300u-i and a poll list 3 2 OB on which to 
place the total number of ballots polled for each candidate. The total 

10 decryption part 332 performs the decryption process Vj = pc(Xii, 

Xiu), using the decryption function pc, for the decrypted intermediate 
data to Xj^ generated in the respective distributed coimter 
apparatuses 300i to 300^ to obtain the vote content vj, and provides 
it_to the counter 340._ The counter 340 verifies the vaUdity of the 

15 vote content Vj and, if vahd, adds 1 to the nimiber of ballots polled for 
the corresponding candidate in the poU list 320B in the storage part 
320. At the same time, the counter 340 adds Vj to the corresponding 
vote data on the ballot list. 

This embodiment also inhibits any of the distributed counter 

20 apparatuses from decrypting the vote content vj from the ciphertext 
Xi on a stand-alone basis, and hence it ensures fraud-free, fair 
elections. 

MODIFICATION 1 
25 In the second and third embodiments the vote content Vi cannot 

be decrj^ted from the ciphertext Xj without collaboration of all the 
distributed coimters Q to Qj. This embodiment modifies the above- 
described decryption process by requiring at least L (where 2 ^ L ^ U- 
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1) distributed counter apparatuses to work together to decrypt the 
vote content from the ciphertext Xj, using the public key kc- This 
can be done, for example, by the application of the aforementioned 
Desmedt-Frankel scheme to the configuration of the partial decryption 
5 part 331. This method will be described below as being applied to the 
second embodiment (Figs. 7, 8 A and 8B). 

For example, when any one 300j of the distributed counter 
apparatuses 3OO2 tlirough 300u suffers a breakdown, the distributed 
coimter apparatus 300j-i sends the decrypted intermediate data Xij.i 
i j 10 to the distributed coimter apparatus 300j+i, bypassing the failing one 
IS 300j. The distributed coimter apparatus 300j+i decrypts the received 

^ = decrypted intermediate data Xjj.i by performing the decrj^tion 

3 process Xy+i = pc(Xi, ksq+i) with the partial secret key kscj+i to obtain 

O the decrypted intermediate data ^ij+i, and passes it to the next 

H 15 distributed counter apparatus 300j+2- The method for generating the 
h secret key for use in this case is described, for example, in the 

1 3 aforementioned Desmedt-Frankel literature. Assume that all the 

" distributed counter apparatuses 300i through 300u have the 

configuration depicted in Fig. 8A. In this instance, even if the first 
20 distributed counter apparatus 300i breaks down, the distributed 
counter apparatus 3 00 2 of the next stage substitutes therefor to 
receive the vote data <Zi, yi>from the voter apparatuses lOOj to lOOx. 
The distributed counter apparatus 300u of the final stage sends the 
decrypted vote content Vi to the distributed counter apparatus 3OO2 
25 that carries out the required operation in behalf of the failing 

distributed counter apparatus 300i. Thus this embodiment enables 
the vote counting to carried out regardless of which distributed 
counter apparatus breaks down. 
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MODIFICATION 2 

With the application of the Desmedt-Frankel scheme to the 
partial decryption part 331 and the total decryption part 332, it is 
5 also possible, in the third embodiment (Figs. 9, lOA and lOB), to 

decrypt the vote content Vj if the decrypted intermediate data by at 

least L (where 2 ^ L U-1) distributed counter apparatuses is 
obtainable. For example, when the distributed coimter apparatuses 
300i through 300u.l break down, decrypted intermediate data Xj^.l+i 
10 to Xju from the remaining distributed coimter apparatuses 300u-l+i to 
300u are provided to the total decryption part 332 of the distributed 
counter apparatus 300u for the decryption of the vote content Vj 

through the decryption process Vj = pc(>^iu-L+ii ^iv-L+2y ^iv) of the 
received pieces of decrypted intermediate data. The counter 340 

15 verifies the validity of the thus decrypted vote content Vj and, if 
valid, adds 1 to the number of polls voted for the candidate 
corresponding to Vj on the poU list 320B in the storage part 320. 

With the application of the configuration of Fig. lOB to all of the 
distributed coimter apparatuses 300i to 300^ in this modification, 

20 even if a total of U-L distributed coimter apparatuses break down, it 
is possible to count the votes by causing one of the remaining 
distributed counter apparatuses to perform the same operation as 
described previously with reference to Fig, lOB. 

25 Figs. 3 to 5, 8A, 8B, lOA and lOB depict the functional 

configurations of the respective apparatuses; their functions each can 
be implemented into operation by means of a controller, or they can 
be executed wholly or partly by a computer. 



EFFECT OF THE INVENTION 

As described above, the present invention encrypts the vote 
content Vj with the public encryption key kpc of the counter, and 
hence it obviates the necessity for the voter to send a key to the 
counter for the decryption of the vote content Vj. 

With plural coimters, the vote counting cannot be started without 
the consent of them alL 

In the case where a fixed number of counters can coxmt the 
votes, it is possible to perform the vote counting by the collaboration 
of a certain nimiber of valid or normal counter apparatuses, 
protecting the vote coimting from the influence of fraud or failing 
apparatus* 

- Moreover,-an alteration of the vote content by the counter could, 
be detected by checking the published list of vote contents. That is, 
when having found that his vote has not been coimted, the voter 
needs only to point out or allege fraud by publishing the encrypted 
ballot Xj and the administrator's signature y^. In this instance, when 
the nimiber of dishonest coimters is fixed, the voter privacy is 
protected. 

Besides, according to the present invention, since the vote content 
is sent after being encrypted with the encryption key, it is possible to 
prevent a fraud that, at the time of collecting ballots, one of the plural 
coimters leaks the intermediate result of vote count to affect the 
election. 

As will be appreciated from the above, the present invention 
provides increased convenience to voters through utilization of the 
counter's encryption key and, by using plural counters, protects 
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against t±ie fraud or leaking the intermediate result of the vote count 
to affect the election. 

It will be apparent that many modifications and variations may 
5 be effected without departing from the scope of the novel concepts of 
the present invention. 



